Manage access in S3

Access to S3 resources is regulated:

• projects — define access within an isolated group of resources;
• role model — Defines access within the account and project;
• access policy — defines the access within the bucket.

When an action request is received in S3, access is first checked against the role model. If the role model allows access, the access policy is checked, if not, access is denied.

For API or FTP access , issue keys.

Role model access⁠

member⁠

User with full access to all services.Unavailable access control: users, service users, user groups and federations.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations and resources in S3	In the Account access area: S3 management in all projects: view the list of bucket list in all projects of the account; view the contents of the bucket in all projects of the account; manage objects in bucket (load, delete, etc.) in all projects of the account; changing baket settings in all projects of the account; configuring access policies for bucket access in all projects of the account; management of projects, their limits and quotas; billing management management of projects, their limits and quotas; billing management
	In the access area Project: S3 control in the selected project: viewing the list of bucket list; viewing the contents of the bins; management of objects in the baquette (loading, deleting, etc.); changing the settings of the bins

billing⁠

User with access to billing management and without access to service management.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations and resources in S3	Billing Management; S3 consumption view

iam_admin⁠

User with access to user management and without access to services and billing.Cannot manage their account: change permissions, manage notifications, delete.The first user with the iam_admin role is created by the Account Owner.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations and resources in S3	Manage users, service users, user groups and federations; issuing S3 keys to users

reader⁠

A user with access to view everything he controls member in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations and resources in S3	In the Account access area: view the list of bucket list in all projects; view the contents of the bucket in all projects of the account; View the settings of all projects, their limits and quotas viewing of billing data (balance, bank cards, report documents, partner program, etc.)
	In the access area Project: view the list of baquettes of the selected project; view the contents of bins in the selected project

object_storage:admin⁠

User with full access to S3 management within the project. Does not have access to S3 in other projects and other products in his project . For more information, see the instructions Managing access in S3.

Access areas	project
Who can be prescribed	Service Users; user groups
Available operations and resources in S3	View the list of bucket list in the project; viewing the contents of the bins; management of objects in the baquette (loading, modification, deletion, etc.); changing the settings of the baquettes; configuring the bucket access policy

object_storage_user⁠

A user with access to the S3 buckets if an access policy is configured that allows access to the buckets for that user, see the Manage Access in S3 instructions for details . The degree of access is determined by the access policy settings. Does not have access to S3 in other projects and other products in its project.

Access areas	project
Who can be prescribed	Service Users; user groups
Available operations and resources in S3	View the list of bucket list in the project; operations in the buckets that are allowed by the access policy.

Access within the access policy⁠

If the user's role provides access to S3, access to a particular buck depends on the availability and settings of the access policy:

• if no access policy is created, access will be allowed to all users with access within the role model except for the roleobject_storage_user;
• if an access policy is created, anything not allowed by the policy rules is denied.

See the Access Policy section for more information on how the access policy works.

Keys for API access⁠

Depending on the type of API the user will need:

• IAM project token (X-Auth-Token) used for access via Servercore Storage API и Swift API. Can only be issued to to service users;
• S3 key (EC2 key), used to sign requests S3 API and access via FTP. It consists of a pair of values — Access Key ID and Secret Key. Can be issued to service users и users.

Issue an S3 key to a user⁠

For your information

For an S3 key (EC2 key) to work, the user must have a role with access to S3.

Control panel users can issue their own S3 keys on their own, but we recommend to create service users and use keys together with them.

S3 keys can only be issued to other users by the Account Owner or a user with the role iam_admin.Service user can't get S3-key by himself, because he doesn't have access to the control panel — he must be issued a key by Account Owner or iam_admin.

A separate key must be created for each project.Multiple keys can be issued for one project.

1. In the control panel, on the top menu, click Account.

2. Go to the section with the desired user type:

   • Users — for the users of the control panel;
   • Service users — For service users.

3. Open the user page → Access tab.

4. In the S3 keys block, click Add Key.

5. Enter the name of the key.

6. Select the project for which the key will work.

7. Click Generate. Two values will be generated:

   • Access key — Access Key ID, key identifier;
   • Secret key — Secret Access Key, secret key.

8. Click Copy and save the key — it cannot be viewed after the window is closed.